IPsec (Internet Protocol Security) is a framework for a set of protocols for security at a network or packet processing layer of network communication. Earlier security approaches inserted security at the application layer of the communications model. IPsec is thus particularly useful for implementing virtual private networks and for remote user access through various connections to private networks.
One advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers. IPsec provides two choices of security service. First provided is an authentication header (AH), which essentially allows authentication of the sender of data. Further provided is an encapsulating security payload (ESP), which supports both authentication of the sender and encryption of data as well. The specific information associated with each of these services is typically inserted into the packet in a header that follows the IP packet header.
In the context of the present description, a security association (SA) is defined as a relationship between two or more entities that describes how the entities utilize security services to communicate effectively. Physically, it may include a structure containing information on a set of agreements for communication including, for example, keys used for the decryption or authentication of packets. Moreover, a security parameter index (SPI) is combined with the destination IP and security protocol (AH or ESP) to uniquely specify an SA. Each AH and ESP header may, for example, contain a 32-bit SPI field.
Prior art FIG. 1 illustrates an exemplary framework 100 of IPSec layers and corresponding SAs in a packet, in accordance with the prior art. As shown, four (4) SAs are provided in the present exemplary framework 100. Of course, however, it should be noted that there could be as few as one and no theoretical limit (i.e. with iterated tunneling). Also note that there is an IP header separating the SAs.
The SAs are arbitrarily labeled A, B, C and D. Another packet may or may not use A, B, C or D, but instead use another SA, such as F (unillustrated). In use, each SA has a limited lifetime and a successor may be setup before it expires so that the successor can seamlessly replace it (without interrupting the connection). In the context of the present description, each generation of an SA is denoted by an associated index. For example, SA F5 would succeed F4, and so forth. It should be noted that the successor SA may have a completely different identity (SPI) and encryption/authentication keys with respect to any predecessor.
In the past, IPSec processing involving the foregoing framework 100 has typically been carried out utilizing a processor. However, such IPSec processing can be quite cumbersome for a processor, and further drain associated resources during use. Thus, there is a continuing need to integrate IPSec processing into transport offload engines.
Transport offload engines (TOE) are gaining popularity in high-speed systems for the purpose of optimizing throughput and lowering processor utilization. TOE components are often incorporated into one of various systems including printed circuit boards such as a network interface card (NIC), a host bus adapter (HBA), a motherboard; or in any other desired offloading context.
In recent years, the communication speed in networks has increased faster than processor speed. This increase has produced an input/output (I/O) bottleneck. The processor, which is designed primarily for computing and not for I/O, cannot typically keep up with the data flowing through networks. As a result, the data flow is processed at a rate slower than the speed of the network. TOE technology solves this problem by removing the burden from the processor (i.e. offloading processing) and/or I/O subsystem.
While a TOE may be used to offload a processor of IPSec-type processing, such processing is still quite expensive, even for the TOE. There is thus a need for more efficient techniques of performing IPSec-type processing in the context of a system equipped with a TOE.